Email the current maintainer(s) with a description of the vulnerability. You should expect a response within 48 hours. If the vulnerability is accepted, a Github advisory will be created and eventually released with a CVE corresponding to the issue found.

A list of the current maintainers can be found on the README under the contact section. See: README.md